Management Method for Multi-Resource Pool Network, Cloud Management Platform, and Apparatus

This application is a continuation of Int'l Patent App. No. PCT/CN2023/104303, filed on Jun. 29, 2023, which claims priority to Chinese Patent App. No. 202211352006.6, filed on Oct. 31, 2022, and Chinese Patent App. No. 202310484280.7, filed on Apr. 28, 2023, all of which are incorporated by reference.

This disclosure relates to the field of computer technologies, and in particular, to a management method for a multi-resource pool network, a cloud management platform, and an apparatus.

With development of cloud computing technologies and growth of enterprise businesses, enterprises may use a plurality of cloud vendors to provide unified computing/storage services to improve cloud infrastructure capabilities and control costs. In the future, a hybrid multi-cloud multi-pool architecture will be a mainstream form to support the enterprise businesses.

The hybrid multi-cloud multi-pool architecture generally includes two or more resource pools. These resource pools are used to run the businesses together. Generally, the businesses require a plurality of resource pools to share business data. That is, an interworking network needs to be constructed between the plurality of resource pools. However, due to natural technical isolation between the plurality of resource pools, for example, the plurality of resource pools are from different vendors and use different network models and communication technologies, currently, configuration for an interworking network between any plurality of resource pools is complex and inefficient. This has always been a pain point of constructing and managing a heterogeneous system. How to resolve a complex network management problem in a hybrid multi-cloud multi-pool architecture is an urgent problem to be resolved currently.

This disclosure provides a management method for a multi-resource pool network, a cloud management platform, and an apparatus, to provide a user with a unified management tool for a hybrid multi-cloud multi-pool network, simplifying management of the user on the hybrid multi-cloud multi-pool network.

According to a first aspect, this application provides a management method for a multi-resource pool network is applied to a cloud management platform. In the method, the cloud management platform may provide a network interworking service for a tenant. The cloud management platform obtains service configuration information configured by the tenant for the network interworking service. The service configuration information includes one or more of the following: a network identifier (ID) such as a segment, a terminal node (for example, an endpoint) identifier, and a terminal node type. The network identifier indicates an identifier of a global network of the tenant. The global network includes a network including at least two resource pools. A network connection may be established between any two resource pools in the at least two resource pools, to implement interworking across resource pools. The at least two resource pools may be from a plurality of service providers (or cloud resource providers). For example, one of the at least two resource pools is from a cloud vendor A, and another resource pool is from a cloud vendor B. Each resource pool generally includes a plurality of computing nodes. The plurality of computing nodes are used to run a business of the tenant. A terminal node indicates one resource pool in the global network of the tenant. Correspondingly, the terminal node identifier uniquely identifies one resource pool, and the terminal node type indicates a type of the resource pool identified by the terminal node identifier. After obtaining the service configuration information, the cloud management platform creates corresponding terminal nodes for the at least two resource pools based on the terminal node type.

According to the foregoing method, the cloud management platform provides a network interworking service. The tenant may configure service configuration information of the network interworking service based on a multi-resource pool network required by a business in actual application, for example, configure a terminal node identifier for identifying each resource pool in a plurality of actual resource pool configurations and a terminal node type indicating each resource pool type. The cloud management platform sequentially creates, based on the terminal node type, terminal nodes corresponding to each resource pool, to construct a global network that may indicate a plurality of resource pools of the tenant, where the plurality of resource pools may be from a plurality of service providers, and are not limited to a plurality of resource pools in a same service provider. A unified management manner for a hybrid multi-cloud multi-pool network is provided for the tenant, simplifying management of the user on the hybrid multi-cloud multi-pool network.

In a possible implementation, any two terminal nodes communicate with each other by default, or a connection status between the terminal nodes is provided for the tenant to perform configuration. Correspondingly, the service configuration information further includes one or more of the following: a terminal node pair, and a connection status of the terminal node pair, where the terminal node pair includes two terminal nodes, and the connection status of the terminal node pair includes connection allowed and/or connection forbidden.

According to the foregoing method, whether a connection between any two resource pools in the plurality of resource pools of the tenant is allowed or forbidden is set based on the terminal node pair and the connection status of the terminal node pair, so that flexibility of configuring interworking between resource pools is provided for the tenant.

In a possible implementation, the service configuration information further includes a routing rule between a network segment included in at least one resource pool and the terminal node.

According to the foregoing method, flexibility of configuring routing rules between network segments in the resource pool and the terminal node is provided for the tenant.

In a possible implementation, the service configuration information further includes a local security policy and an inter-domain security policy.

According to the foregoing method, flexibility of configuring a traffic security policy for interworking between a plurality of resource pools is provided for the tenant, improving traffic security of communication in the resource pool and between resource pools.

In a possible implementation, the method further includes: obtaining one or more of the following configured by the tenant on the cloud management platform: a type of the resource pool, location information of the resource pool, private virtual cloud (VPC) information of the resource pool, subnet information of the resource pool, information about an interface for an inter-domain gateway in the resource pool to access the resource pool, and virtual local area network (VLAN) information.

In a possible implementation, the cloud management platform is further configured to manage a cloud service system, the cloud service system includes a global controller and at least two local controllers, and one local controller corresponds to one of the at least two resource pools. The method further includes: The global controller obtains the service configuration information from the cloud management platform. The global controller sends the service configuration information to each local controller.

According to the foregoing method, the cloud management platform maps, to each resource pool by using the cloud service system, the service configuration information configured by the tenant, and the tenant does not need to care about implementation of an underlying network, simplifying management of the tenant on the hybrid multi-cloud multi-pool network.

In a possible implementation, the method further includes: The local controller invokes a first application programming interface (API) of an intra-site controller in a corresponding resource pool to send routing information to the intra-site controller.

According to the foregoing method, a standard first API is provided and unified, and the local controller may exchange routing information with an intra-site controller in a resource pool of any type based on the first API, to meet a plurality of business requirements of the tenant.

In a possible implementation, the routing information includes some or all of the following: a type of a next hop, a Virtual eXtensible LAN (VxLAN) network identifier (VNID) of network virtualization technology VxLAN tunnel encapsulation, an outer destination Internet Protocol (IP) address of the VxLAN tunnel encapsulation, and an outer destination local area network medium access control (MAC) address of the VxLAN tunnel encapsulation.

According to the foregoing method, the routing information may be used by the computing node in the resource pool to perform VxLAN packet encapsulation, so that the computing node is directly connected to the inter-domain gateway in one hop, implementing an optimal data plane path.

In a possible implementation, the method further includes: The local controller invokes a second API of the intra-site controller in the corresponding resource pool to send a subscription request to the intra-site controller, where the subscription request is used to request to subscribe to a resource change event in the resource pool.

In a possible implementation, the type of the resource pool includes: a homogeneous cloud, a heterogeneous cloud, a virtual resource pool, and a physical resource pool.

According to the foregoing method, a networking requirement of the tenant for resource pools of different types is met, and a same management manner is provided for hybrid multi-cloud multi-pool networks of various types.

According to a second aspect, a cloud management platform has a corresponding function of implementing the cloud management platform in the method instance in the first aspect. For beneficial effects, refer to the descriptions of the first aspect. Details are not described herein again. The function may be implemented by hardware, or may be implemented by hardware by executing corresponding software. The hardware or software includes one or more modules corresponding to the foregoing function. In a possible design, a structure of the apparatus includes an obtaining module and a creation module. In a possible design, a first obtaining module and a second obtaining module may be a same module, and a first determining module and a second determining module may be a same module. These modules may perform a corresponding function of the cloud management platform in the method example in the first aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.

According to a third aspect, a computing device cluster includes at least one computing device, and the at least one computing device has a corresponding function of implementing the cloud management platform in the method instance in the first aspect. For beneficial effects, refer to the descriptions of the first aspect. Details are not described herein again. A structure of each computing device includes a processor and a memory. The processor is configured to support the computing device in performing some or all corresponding functions of the cloud management platform in the method in the first aspect. The memory is coupled to the processor, and stores program instructions and data that are necessary for the computing device. A communication interface is further included in the structure of the computing device, and is configured to communicate with another device.

According to a fourth aspect, a computer-readable storage medium stores instructions, and when the instructions are run on a computer, the computer is enabled to perform the method in any one of the first aspect and any possible design of the first aspect.

According to a fifth aspect, a computer program product includes instructions. When the computer program product runs on a computer, the computer is enabled to perform the method in any one of the first aspect and any possible design of the first aspect.

According to a sixth aspect, a computer chip is connected to a memory, and the chip is configured to read and execute a software program stored in the memory, to perform the method in any one of the first aspect and any possible implementation of the first aspect.

For better understanding of solutions in embodiments, the following first describes some related terms and concepts that may be used in embodiments.

Overlay means establishing a logical network on a physical network. The overlay network is a logical network established on an underlay network. The underlay network is an underlying physical basis of the overlay network. The overlay network has various network protocols and standards, such as a virtual extensible local area network (VxLAN) and generic routing encapsulation (GRE). Currently, the VxLAN is a common protocol standard in the overlay network.

The VLAN is a network isolation technology that logically divides a physical LAN into a plurality of broadcast domains. The LAN is specified as a local area network. Specifically, in a VLAN technology, a large physical layer 2 domain is divided into many small logical layer 2 domains, and the logical layer 2 domain is referred to as the VLAN. Devices in a same VLAN may communicate with each other at a layer 2. Devices in different VLANs are isolated at the layer 2. In other words, a physical local area network may be divided into a plurality of VLANs. All devices in a VLAN are in a same broadcast domain. Broadcasts cannot be propagated across VLANs.

In general, the VLAN is a network isolation technology. A physical local area network in a data center may be logically divided into a plurality of VLANs. The VLANs are distinguished by VLAN numbers. An address bit of a VLAN number defined in the standard has only 12 bits. That is, a value of an available VLAN number ranges from 1 to 4094, which can meet a requirement of a data center. However, with the development of cloud computing technologies, a quantity of virtual machines in a data center increases by an order of magnitude compared with a quantity of original physical machines. A VLAN isolation capability cannot meet requirements of public clouds or other large-scale virtualized cloud computing services that involve tens of thousands or even more tenants. Therefore, a VxLAN emerges.

The VxLAN is an extension of the VLAN. It uses a network virtualization technology to virtualize a plurality of layer 2 networks on a physical network device. Specifically, the VxLAN uses a tunneling technology to establish a layer 2 Ethernet network tunnel based on a layer 3 network, to implement cross-region layer 2 interconnection. In other words, the VxLAN can create virtual layer 2 subnets or segments across a physical layer 3 network. Each layer 2 subnet has a VxLAN network identifier (VNI) that uniquely identifies traffic segments. The VNI is 24 bits long and supports a maximum of more than 16 million virtual networks, which can meet ultra-multi-tenant and multi-instance scenarios of a cloud and other large-scale virtual networks.

is a diagram of a VxLAN network model. The network model includes network devices,, and, and a hostto a host. The network device may be an independent network device, for example, a switch, a router, or a gateway, or may be a server on which a virtual machine is located. Different network devices may have different functions. For ease of description, the network deviceand the network deviceare collectively referred to as a layer 2 network device, and the network deviceis referred to as a layer 3 network device. It should be noted thatshows an example in which the layer 2 network device is a switch and the layer 3 network device is a router.

From a function perspective, the layer 2 network device may connect to one or more hosts, that is, establish connections with one or more hosts, to form a region network. The region network may be a LAN or VLAN, and may be understood as a subnet or broadcast domain. The host may be a server, or may be a computing instance running on the server, for example, a virtual machine or a container. The layer 2 network device may provide a data path for any two hosts in the local area network, to implement communication between any two hosts in the local area network. As shown in, the host(a source host) sends a packet to the host(a destination host), and the network deviceis configured to: receive the packet sent by the hostand forward the packet to the host. The layer 3 network device may connect a plurality of local area networks to implement communication between hosts in different local area networks. A larger network formed by the plurality of local area networks may also be referred to as a layer 3 network.

In a VxLAN technology, a plurality of virtual layer 2 networks may be created on a layer 3 network architecture by establishing a VxLAN tunnel. For example, a VxLAN tunnel is established between two layer 2 network devices. In this case, the layer 2 network device may also be referred to as a VxLAN tunnel endpoint (VTEP), including a start point (also referred to as a source VTEP) or an end point (also referred to as a destination VTEP) of the VxLAN tunnel. Different virtual layer 2 networks are identified by VNIs. It may be understood as that, one VNI represents one tenant, and an IP address in a same VNI is unique. That is, hosts having a same VNI have different IP addresses, and hosts belonging to different VNIs may have a same IP address. A plurality of hosts connected to one network device may have different VNIs. The VxLAN tunnel is a virtual channel established between two network devices to transmit VxLAN packets.

The resource pool is a configuration mechanism. It is a logical abstraction for flexible resource management and is used to partition host resources. In other words, one resource pool includes one or more hosts, or the resource pool may be divided based on computing instances, and the computing instances include a virtual machine, a container, and the like. For example, one resource pool includes a plurality of virtual machines.

5. In embodiments, “a plurality of” means two or more than two. The term “and/or” describes an association relationship between associated objects, and indicates that three relationships may exist. For example, A and/or B may indicate the following cases: Only A exists, both A and B exist, and only B exists, where A and B may be singular or plural. “One or more of the following items (pieces)” or a similar expression thereof refers to any combination of these items, including any combination of singular items or plural items. For example, one or more of a, b, or c may indicate a, b, c, a and b, a and c, b and c, or a, b, and c, where a, b, and c may be singular or plural.

is a diagram of an architecture of a data center. The physical architecture of the data center includes one or more virtual machine resource pools and one or more physical machine resource pools. Generally, one virtual machine resource pool includes a plurality of virtual machines, and one physical machine resource pool includes a plurality of physical servers. The virtual machine and the physical server may be collectively referred to as computing resources, and these computing resources are used to run an enterprise business.

When the enterprise business runs in a data center, network interworking and network security are provided by hardware devices in the data center. As shown in, layer 2 and layer 3 forwarding of east-west traffic (horizontal traffic, for example, traffic exchanged between virtual machines in the virtual machine resource pool and physical servers in the physical machine resource pool) in physical networking of the data center is implemented by spine/leaf nodes. The leaf node may be a switch responsible for forwarding layer 2 network traffic, and the spine node may be a router responsible for forwarding layer 3 network traffic, or the like. Security protection for the east-west traffic is implemented by a firewall connected to a border leaf in off-path mode. Forwarding of north-south traffic (vertical traffic, where for example, internet users access virtual machines in the virtual machine resource pool through the internet and the virtual machines in the virtual machine resource pool send feedback messages to the internet users) is concentrated to an egress access zone of the data center. In addition to egress routers for traffic forwarding, some security devices such as firewalls/web application firewalls (WAFs) are deployed in the egress access zone to ensure business security in the data center.

When the enterprise business is migrated to the cloud, that is, after an enterprise customer uses cloud computing resources of a cloud provider to build a cloud locally, from the perspective of entire data center networking, the cloud is integrated into a global network of a data center of the enterprise customer as an independent resource pool and is a part of the data center. The enterprise business is deployed in resource pools. Therefore, the cloud faces a requirement for network interworking across resource pools. For example, office applications of an enterprise customer are deployed in different resource pools in a distributed manner. When back-end data sharing is required, the enterprise customer requires that a global network of a data center support a direct connect (DC) interworking network across resource pools and clouds.

The following describes several existing network models for interworking across resource pools.

is a diagram of an architecture of a data plane for interworking across resource pools. As shown in, the cloud system includes two clouds, each cloud includes a plurality of computing nodes (for example, physical servers), a plurality of cloud servers (for example, virtual machines) may be created on each computing node, and the cloud server is configured to process a business of a tenant. Inter-domain interworking is implemented by x86 servers in an inter-domain gateway cluster. An overlay architecture, for example, a VxLAN architecture, is used in the cloud. A vSwitch (software) may be used for VTEP encapsulation on each computing node. The computing node and the inter-domain gateway cluster are directly connected in one hop.

In this solution, because the inter-domain gateway is implemented by the x86 server, costs are high. In addition, computing power is provided by only a CPU of the x86 server. As a result, the CPU is prone to become a bottleneck. When traffic pressure is heavy, an inter-domain communication delay increases, and stability also deteriorates. In addition, the architecture used in this solution applies only to homogeneous clouds and does not support heterogeneous clouds, conventional-virtual machine resource pools, or conventional-physical machine resource pools. The homogeneous clouds mean that a plurality of clouds are provided by a same cloud provider. For example, in, when two clouds are provided by a same cloud provider, the two clouds are homogeneous clouds. On the contrary, if the two clouds are provided by different cloud providers, the two clouds are heterogeneous clouds.

is another diagram of an architecture of a data plane for interworking across resource pools. As shown in, a hardware device (for example, a top-of-rack network virtualization edge (TOR-NVE)) is used in a cloud to perform overlay encapsulation, and an inter-domain gateway is also implemented by using hardware. Both the inter-domain gateway and the TOR-NVE automatically deliver configurations by using a software-defined networking (SDN) controller (not shown in), so that an optimal path between a computing node and an inter-domain gateway can be implemented.

This solution is generally used by network device vendors that have hardware SDN controllers. The SDN controller manages devices (such as TOR-NVEs) and inter-domain gateways in a resource pool in a unified manner. However, an intra-domain solution that uses a current mainstream vSwitch for overlay is not supported. In addition, the architecture used in this solution can be applied only to homogeneous clouds, not heterogeneous clouds.

is still another diagram of an architecture of a data plane for interworking across resource pools. This solution depends on a direct connect capability provided by a resource pool for the external, and allows a third party to access a direct connect gateway in the resource pool by using an inter-domain gateway. A plurality of clouds may access an inter-domain gateway cluster of a same third party to implement interworking across resource pools. Refer to. In this architecture, an overlay architecture is used in a cloud, a vSwitch may be used for VTEP encapsulation in a domain, and the inter-domain gateway implements interworking through an intra-domain network of the direct connect gateway.

This solution supports both homogeneous clouds and heterogeneous clouds and has higher compatibility. However, this solution depends on the direct connect capability provided in the domain. A direct connect configuration is complex, a data plane path is long, and a delay is long.

It can be learned that, currently, multi-cloud multi-pool networks differ greatly, configurations are complex, and efficiency is low. Network functions in different resource pools are similar, but network model abstractions are different. Multi-site networks are isolated and cannot be managed and controlled in a centralized manner. If no unified management tool is available, network administrators need to manually combine complex networks of resource pools of different types. It is very difficult to configure and manage. An enterprise customer is eager to implement unified configuration, management, and operations and maintenance of networks across resource pools. However, currently, no vendor can provide a unified management tool for hybrid multi-cloud multi-pool deployment to resolve complex network management problems for the enterprise customer.

In view of this, embodiments provide a general-purpose network interworking service for hybrid multi-cloud multi-pool deployment. The network interworking service may support multi-cloud at a platform as a service (PaaS) layer, and implement automatic network connection at an infrastructure as a service (IaaS) layer. A tenant leases the service to implement unified configuration, management, and operations and maintenance of a multi-resource pool network.